As the risk of cyber attacks respects no borders, a cohesive and harmonised EU-level approach to cyber security is appropriate. It is therefore understandable that UK organisations have questions following the recent referendum result, and the UK’s imminent split from the EU. How your organisation should react to Brexit from a cyber security perspective is still uncertain. However, the UK currently remains part of the EU and will continue to do so until a withdrawal agreement has entered into force, or, by default, at the end of the two-year negotiation period following the invocation of Article 50 of the Lisbon Treaty. As it stands, EU regulations and directives, and the statutory instruments transposing those directives into UK law, still have effect. But what will the future of cyber security in the UK look like?
The Current EU Cyber Security Framework In 2013 the European Commission proposed the Network and Information Security Directive (NISD), with the objective of harmonising the European approach to combating cyber risk. In May 2016 the European Council formally adopted the new rules which aim to:
- Improve cooperation between member states on the issue of cyber security.
- Improve and standardise cyber security capabilities in member states.
- Require each EU country to designate one or more national authorities.
- Ensure that operators of essential services in critical sectors (e.g., banking, health care, energy, and transport), and key digital service providers (e.g., online marketplaces, search engines and cloud services), take appropriate security measures and report cyber security incidents to the national authorities.
- Establish an EU-wide strategy for dealing with cyber threats.
The NISD will build on previous directives such as directives 2002/58/EC and 2002/21/EC, which placed obligations on organisations in the electronic communications sector to implement appropriate technical and organisational measures to ensure the security of personal data and protect the integrity of their systems. The NISD intends to harmonise the varied implementation of these directives by requiring each member state to implement a national network and information security strategy, a minimum threshold for the harmonisation of security, and mandatory incident notification. Cooperation between both public and private entities is an essential component of the NISD, allowing for the circulation of early warnings on risks and incidents to ensure a coordinated response.